Chapter 8

erosjellyΑσφάλεια

23 Φεβ 2014 (πριν από 3 χρόνια και 7 μήνες)

73 εμφανίσεις

CHAPTER 8

Securing Information Systems

System Vulnerability


Security

(policies, procedures, technical measures)
and
controls

(methods, policies, procedures)
important to ensure your system is not vulnerable


Internet


Emails and other ways hackers access


Wireless security challenges


War driving and RFID bands


Wi
-
fi

transmission


Malware, Viruses, Worms, Trojan horses, Spyware,
SQL injection attacks, key loggers

System Vulnerability (
cont
)


Hackers, crackers, Script Kiddies


Spoofing (redirecting web address) and Sniffing
(eavesdropping program monitoring info over a
network)


Denial
-
of
-
service (
DoS
) attack


Distributed denial
-
of
-
service (
DoS
) attack


Botnet


Computer Crime


Common Computer Crime

System Vulnerability (
cont
)


Identity Theft


Phishing


Evil Twins


Pharming


Click Fraud


Cyberterrorism

and Cyber Warfare


Internal threats


Social engineering


Software Vulnerability


Bugs and patches

Security and Control


Legal and Regulatory


HIPPA for medical


Gramm
-
Leach
-
Bliley (Financial Services Moderation)


consumer data in financial institutions


Sarbanes
-
Oxley Act


protects investors from financial
scandals


Electronic Evidence and Computer Forensics


Computer forensics


collecting, analyzing,
authentication, preservation and analysis of data/on
storage media/used in court

Security and Control Framework


Types of controls


General

(govern design, security, and use of computer
programs/security of data files/throughout organization’s
infrastructure)


Application

(specific controls unique
to each
computerized
application such as payroll or order processing)


Input, Processing, output controls


Risk

Assessment

(determines level of risk to the firm)


Once risks assessed, system builders will look at control
points with greatest vulnerability and potential for loss

Security and Control Framework (
cont
)


Security Policy


Created after risk assessment


How to protect company’s assets


Acceptable Use Policy (AUP)


acceptable uses of firms info
systems, etc.


Identity Management


determine valid users of the system


Disaster Recovery


Hot Site
vs

Cold Site


Business Continuity Planning


Auditing


MIS Audit (examines firm’s security environment)

Technologies and Tools for Protecting
Info Resources


Identity Management


Authentication


Passwords


Token


Smart Cards


Biometric authentication (human traits)


What you know, what you have, who you are

Technologies (
cont
)


Firewalls

(prevent unauthorized users from accessing
private networks)


Combination of hardware and software that controls the
flow of incoming and outgoing network traffic


Identifies names, IP address, applications, and other
characteristics of incoming traffic


Intrusion detection systems
(monitor for vulnerability)


Antivirus and Antispyware software


Unified threat management
(UTM) (comprehensive
security management systems/inside a single device)


Wireless Security


Encryption and Public Key Infrastructure


Secure Socket Layer
(SSL)


secure connection between computers


Secure Hypertext Transfer Protocol
(S
-
HTTP)


encrypts messages


Public Key Encryption (
PKE)


-

secure encryption/uses two keys


Digital Certificates



data files to establish identity of users and
electronic assets


Public key infrastructure
(PKI)



public key cryptography working
with a certification authority.

System Availability


Online transaction processing
(OLTP)


immediately
process transactions


Fault
-
tolerant computer systems



detect hardware
failures


High
-
availability computing


for recovering quickly from
a crash


Downtime


periods when system operational


Recovery
-
oriented computing



try to minimize downtime


Deep packet inspection
(DPI)


examines data files and
sorts out low
-
priority online material/assigns higher priority
to business critical functions


Security Outsourcing


Managed security service providers (MSSP)



monitor network
activity